The Deprovision process performs the deprovision operation on the shadow account once the master account is deprovisioned. This causes Active Roles to execute the deprovisioning policies that are in effect on the shadow account to deprovision the linked mailbox of the master account. Note that the mailbox deprovisioning policies must be applied to the container that holds shadow accounts rather than master accounts.
In Active Roles, you can undeprovision the deprovisioned master account. However, this may not undeprovision the shadow account (and, therefore, undeprovision the linked mailbox). For undeprovisioning master accounts to have an effect on shadow accounts, the container that holds deprovisioned master accounts must be in the scope of the Policy Object provided by Exchange Resource Forest Management.
Exchange publishes distribution lists as mail-enabled groups in Active Directory. Such groups are listed in the Global Address List (GAL) and can be administered using Microsoft Outlook. Thus, Outlook can be used to add or remove members from a distribution list provided that the Outlook user is allowed to update the membership list of the respective group in Active Directory.
With Active Roles, an administrator can delegate the membership management task on a group to the account that is designated as the manager of the group. This can be done by specifying the manager’s account on the Managed By page and then selecting the check box to allow the manager to update the membership list of the group. Both the group and the manager’s account must be in the same Active Directory forest.
In the Exchange resource forest topology, where mail-enabled groups are located in the forest other than the forest containing user accounts, delegating the membership management task in this way is not feasible. To address the problem, Exchange Resource Forest Management synchronizes the manager setting for a shadow account on a group in the Exchange forest with the respective master account in the accounts forest, causing Active Roles to give the necessary rights to the master account.
If a user account (master account) in an accounts forest is configured to have a mailbox in the Exchange forest, and thus has a shadow account in the Exchange forest, the Managed By page can be used to give the master account the right to manage the membership list of a group. When you specify the shadow account as the manager of the group and select the check box to allow the manager to update the membership list, Exchange Resource Forest Management causes Active Roles to change security settings on the group so that the master account is authorized to add or remove members from the group.
Hence, on the Managed By page, you need to specify the shadow account rather than the master account. This requires a tool that would enable you to identify the shadow account. Exchange Resource Forest Management customizes the Active Roles Web Interface by adding a new entry to identify the shadow account. You can tell the shadow account’s name and other properties from the Shadow Account tab on the Exchange Properties page for the master account.
You can use Active Roles to convert a linked mailbox to a user mailbox, and vice versa, by managing the mailbox in the Exchange forest.
For linked mailboxes in the Exchange forest, the Active Roles Web Interface provides a command allowing you to unlink the mailbox from the external user. The command converts the mailbox to the user mailbox type, and enables the user account associated with the mailbox in the Exchange forest. The external user can no longer access the mailbox.
Foe user mailboxes in the Exchange forest, the Web Interface provides a command allowing you to link the mailbox to an external user from an accounts forest. The domain of the external user account must be registered with Active Roles (managed domain). The command converts the mailbox to the linked mailbox type, with the mailbox user in the Exchange forest configured as the shadow account and the external user specified as the linked master account.
For step-by-step instructions, see Mailbox type conversion later in this document.
Exchange Resource Forest Management extends the mailbox management capabilities of Active Roles in the case of resource forest topology. This topology option assumes that you have:
With Exchange Resource Forest Management, you can use Active Roles to:
You can create a mailbox when creating a user account in the accounts forest. It is also possible to create a mailbox for a user account that already exists in the accounts forest. As a result, Active Roles creates a disabled user account (shadow account) with a linked mailbox in the Exchange forest, and associates the shadow account and the mailbox with the user account (master account) held in the accounts forest.
The pages for managing the master account include all Exchange properties and tasks that are normally available when the mailbox resides in the same forest as the managed user account. With Exchange Resource Forest Management, Active Roles synchronizes the Exchange properties displayed or changed on the pages for managing the master account with the properties of the linked mailbox.
When you use Active Roles to change the personal or organization-related properties of the master account, Exchange Resource Forest Management causes Active Roles to apply the changes to those properties of the shadow account as well. This function ensures correct information about the master account in the Exchange address lists.
When you deprovision a master account, Exchange Resource Forest Management causes Active Roles to apply the deprovisioning policies to both the master account and shadow account. As a result, Active Roles makes all the necessary changes to deprovision the mailbox. You can revert these changes by undeprovisioning the master account.
For example, you can apply the “Exchange - Recipients Full Control” Access Template to a container in the accounts forest, which enables the delegated administrator to create, view or change linked mailboxes in the Exchange forest by managing master accounts held in that container.
When you make a shadow account the manager or a secondary owner of a distribution group and allow the manager or secondary owners to update membership list, Exchange Resource Forest Management ensures that the corresponding master account has sufficient rights to add or remove members from that group using Exchange clients such as Microsoft Outlook or Outlook Web App.
Exchange Resource Forest Management also enables Active Roles to provide all these administrative capabilities for linked mailboxes created by Active Roles with an earlier version of Exchange Resource Forest Management or without Exchange Resource Forest Management, or created by tools other than Active Roles. Exchange Resource Forest Management schedules Active Roles to search the managed domains for linked mailboxes whose master account:
For each master account that meets these conditions, Active Roles updates the master account with a reference to the shadow account, thereby extending the capabilities of Exchange Resource Forest Management to that master account and its linked mailbox. As a result, the linked mailbox falls under the control of Exchange Resource Forest Management.
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy